spec/codecs/netflow_spec.rb in logstash-codec-netflow-3.12.0 vs spec/codecs/netflow_spec.rb in logstash-codec-netflow-3.13.0
- old
+ new
@@ -903,10 +903,66 @@
expect(JSON.parse(decode[28].to_json)).to eq(JSON.parse(json_events[0]))
end
end
+ context "Netflow 9 ipt_netflow reduced size encoding" do
+ let(:data) do
+ packets = []
+ packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_iptnetflow_reduced_size_encoding_tpldata260.dat"), :mode => "rb")
+ end
+
+ let(:json_events) do
+ events = []
+ events << <<-END
+ {
+ "netflow": {
+ "l4_src_port": 443,
+ "last_switched": "2018-02-18T05:46:54.999Z",
+ "ingressPhysicalInterface": 7,
+ "in_bytes": 187,
+ "tcpOptions": 2164260864,
+ "in_dst_mac": "00:1b:21:bc:24:dd",
+ "protocol": 6,
+ "output_snmp": 8,
+ "ethernetType": 2048,
+ "src_tos": 0,
+ "l4_dst_port": 38164,
+ "input_snmp": 7,
+ "version": 9,
+ "in_pkts": 3,
+ "flow_seq_num": 344481,
+ "ipv4_next_hop": "10.232.5.1",
+ "flowset_id": 260,
+ "first_switched": "2018-02-18T05:46:54.999Z",
+ "tcp_flags": 25,
+ "ipv4_dst_addr": "10.233.150.21",
+ "ipv4_src_addr": "2.17.140.47",
+ "in_src_mac": "90:e2:ba:23:09:fc",
+ "egressPhysicalInterface": 8
+ },
+ "@timestamp": "2018-02-18T05:47:09.000Z",
+ "@version": "1"
+ }
+ END
+
+ events.map{|event| event.gsub(/\s+/, "")}
+ end
+
+ it "should decode raw data" do
+ expect(decode.size).to eq(12)
+ expect(decode[11].get("[netflow][in_dst_mac]")).to eq("00:1b:21:bc:24:dd")
+ expect(decode[11].get("[netflow][ipv4_src_addr]")).to eq("2.17.140.47")
+ end
+
+ it "should serialize to json" do
+ expect(JSON.parse(decode[11].to_json)).to eq(JSON.parse(json_events[0]))
+ end
+
+ end
+
+
context "Netflow 9 IE150 IE151" do
let(:data) do
packets = []
packets << IO.read(File.join(File.dirname(__FILE__), "netflow9_test_unknown_tpl266_292_data.dat"), :mode => "rb")
end
@@ -1079,9 +1135,73 @@
expect(decode[7].get("[netflow][proceraFlowBehavior]")).to eq("INTERACTIVE,CLIENT_IS_LOCAL,INBOUND,ESTABLISHED,ACTIVE")
end
it "should serialize to json" do
expect(JSON.parse(decode[7].to_json)).to eq(JSON.parse(json_events[0]))
+ end
+
+ end
+
+ context "IPFIX Barracuda extended uniflow template 256" do
+ let(:data) do
+ packets = []
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_barracuda_extended_uniflow_tpl256.dat"), :mode => "rb")
+ packets << IO.read(File.join(File.dirname(__FILE__), "ipfix_test_barracuda_extended_uniflow_data256.dat"), :mode => "rb")
+ end
+
+ let(:json_events) do
+ events = []
+ events << <<-END
+ {
+ "netflow": {
+ "FW_Rule": "MTH:MTH-MC-to-Inet",
+ "AuditCounter": 4157725,
+ "sourceIPv4Address": "64.235.151.76",
+ "version": 10,
+ "sourceTransportPort": 443,
+ "sourceMacAddress": "00:00:00:00:00:00",
+ "ingressInterface": 3689,
+ "flowEndSysUpTime": 1957197969,
+ "octetTotalCount": 0,
+ "ConnTransportPort": 443,
+ "ConnIPv4Address": "64.235.151.76",
+ "firewallEvent": 1,
+ "protocolIdentifier": 6,
+ "flowStartSysUpTime": 1957197969,
+ "TrafficType": 0,
+ "destinationTransportPort": 51917,
+ "packetTotalCount": 0,
+ "BindIPv4Address": "213.208.150.99",
+ "Timestamp": 1524039407,
+ "flowDurationMilliseconds": 0,
+ "ServiceName": "https",
+ "BindTransportPort": 64238,
+ "octetDeltaCount": 0,
+ "packetDeltaCount": 0,
+ "destinationIPv4Address": "10.236.5.4",
+ "LogOp": 1,
+ "Reason": 0,
+ "egressInterface": 35233,
+ "ReasonText": "Normal Operation"
+ },
+ "@version": "1",
+ "@timestamp": "2018-04-18T08:16:47.000Z"
+ }
+ END
+
+ events.map{|event| event.gsub(/\s+/, "")}
+ events.map{|event| event.gsub(/NormalOperation/, "Normal Operation")}
+ end
+
+ it "should decode raw data" do
+ expect(decode.size).to eq(2)
+ expect(decode[1].get("[netflow][FW_Rule]")).to eq("MTH:MTH-MC-to-Inet")
+ expect(decode[1].get("[netflow][ReasonText]")).to eq("Normal Operation")
+ expect(decode[1].get("[netflow][BindIPv4Address]")).to eq("213.208.150.99")
+ end
+
+ it "should serialize to json" do
+ expect(JSON.parse(decode[1].to_json)).to eq(JSON.parse(json_events[0]))
end
end